[graylog2] Re: Need some help with pipeline filtering creating rules

['Ovidiu Pacuraru' via Graylog Users]

Figured it all out with help on github, the rule should look like this:

rule "drop headers cron job"
when
contains(to_string($message.message), "COMMAND=/var/www/bin/header.sh")
then
drop_message();
end

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/99edfbdc-4212-4599-80c4-1ed659b87c22%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Periodically seeing this message: Notification condition [NO_MASTER] has been fixed

['Ovidiu Pacuraru' via Graylog Users]

I am seeing this message reported about every 20-30 minutes.
I only have one graylog2 server and in its config it is specified as master 
= true 
I did search and most replies where that this is due to time being out of 
sync.
This server is a LXC and automatically gets the correct time from the 
virtualization host which uses ntp so that is not the problem.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/6e7e75be-c2dd-49f7-b61c-3948dfbb234a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Need some help with pipeline filtering creating rules

['Ovidiu Pacuraru' via Graylog Users]

I will do that right now, for now I assumed it was me screwing up with my 
nginx reverse 
proxy: https://groups.google.com/forum/#!topic/graylog2/Plxz6FY3kRo

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/e2dfb480-2dc4-45bf-af2c-a9deac26e15d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Problems with POST requests when using nginx reverse proxy

['Ovidiu Pacuraru' via Graylog Users]

I have followed this 
tutorial: 
http://docs.graylog.org/en/2.0/pages/configuring_webif.html?highlight=proxy 
and graylog2 is working fine but I cannot save any new rule for the 
pipelining. As soon as I click the save button I get this error:

Could not save processing rule ""
> Saving rule "" failed with status: cannot POST 
> http://edgar.ict-consult.co.za:12900/plugins/org.graylog.plugins.pipelineprocessor/system/pipelines/rule
>  
> (500)
>

I have no clue what else to try :-/ 
Any hints?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/b70701e0-76f2-4ed8-b885-4cf584cf322d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Need some help with pipeline filtering creating rules

['Ovidiu Pacuraru' via Graylog Users]

Thanks Jochen, that looks exactly like what I need. 
Unfortunately I cannot save that rule, have to figure this one out now:

Could not save processing rule ""
> Saving rule "" failed with status: cannot POST 
> http://mydomain.tld:12900/plugins/org.graylog.plugins.pipelineprocessor/system/pipelines/rule
>  
> (500)

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/234a117a-6dca-449b-a982-5333fc0a810f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Sharing what you do with Graylog2?

['Ovidiu Pacuraru' via Graylog Users]

I'm only playing with Graylog2, not using it for anything productive but I 
am very impressed and slightly overwhelmed with the possibilities. 
Is there a showcase somewhere of what other users are productively using it 
for and how?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/c249c7ea-2be7-45a0-a233-5a57bc252bc0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Link to instructions on how to manually install the latest beta?

['Ovidiu Pacuraru' via Graylog Users]

I seem to have solved this when I found this tutorial showing one should 
use nginx as reverse proxy: http://www.fluentd.org/guides/recipes/graylog2 
I will eventually change this so nginx uses https too for proxying.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/c7488dfb-b5e3-4448-b0eb-1eb248bba100%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Link to instructions on how to manually install the latest beta?

['Ovidiu Pacuraru' via Graylog Users]

Any help here, I am kinda lost. 
I even went ahead and got myself real certificates from startssl - can I 
use the same for the rest api and for the web interface? 
The web interface is now unreachable: http://edgar.ict-consult.co.za:9000/

seeing these last few lines when restarting graylog:
2016-03-30T09:03:23.231+02:00 WARN  [DeadEventLoggingListener] Received 
unhandled event of type  from 
event bus 
2016-03-30T09:03:26.050+02:00 WARN  [discovery] 
[graylog-8d1d7900-84c4-4c2a-86e2-0169d47e7103] waited for 3s and no initial 
state was set by the discovery
2016-03-30T09:03:26.051+02:00 ERROR [ServiceManager] Service 
IndexerSetupService [FAILED] has failed in the STOPPING state.
java.lang.IllegalStateException: Can't move to started state when closed
at 
org.elasticsearch.common.component.Lifecycle.canMoveToStarted(Lifecycle.java:116)
 
~[graylog.jar:?]
at 
org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:62)
 
~[graylog.jar:?]
at org.elasticsearch.node.Node.start(Node.java:266) ~[graylog.jar:?]
at 
org.graylog2.initializers.IndexerSetupService.startUp(IndexerSetupService.java:114)
 
~[graylog.jar:?]
at 
com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60)
 
[graylog.jar:?]
at 
com.google.common.util.concurrent.Callables$3.run(Callables.java:100) 
[graylog.jar:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_77]
2016-03-30T09:03:26.051+02:00 ERROR [ServerBootstrap] Graylog startup 
failed. Exiting. Exception was:
java.lang.IllegalStateException: Expected to be healthy after starting. The 
following services are not running: {STARTING=[RestApiService [STARTING], 
IndexerSetupService [STARTING]], FAILED=[WebInterfaceService [FAILED]]}
at 
com.google.common.util.concurrent.ServiceManager$ServiceManagerState.checkHealthy(ServiceManager.java:713)
 
~[graylog.jar:?]
at 
com.google.common.util.concurrent.ServiceManager$ServiceManagerState.awaitHealthy(ServiceManager.java:542)
 
~[graylog.jar:?]
at 
com.google.common.util.concurrent.ServiceManager.awaitHealthy(ServiceManager.java:299)
 
~[graylog.jar:?]
at 
org.graylog2.bootstrap.ServerBootstrap.startCommand(ServerBootstrap.java:122) 
[graylog.jar:?]
at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:196) 
[graylog.jar:?]
at org.graylog2.bootstrap.Main.main(Main.java:44) [graylog.jar:?]
2016-03-30T09:03:26.051+02:00 INFO  [ServiceManagerListener] Services are 
now stopped.
2016-03-30T09:03:26.052+02:00 WARN  [DeadEventLoggingListener] Received 
unhandled event of type  from 
event bus 
2016-03-30T09:03:26.054+02:00 INFO  [Server] SIGNAL received. Shutting down.

I've tried reading through the HTTPS section here: 
http://docs.graylog.org/en/2.0/pages/installation/manual_setup.html but I 
am unsure what the KEY FILE is. Startssl only gave my crt files. 

Any help is much appreciated :-( my current server.conf at 
pastebin: http://pastebin.com/puPzwEN1

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/53792361-e1f9-4400-bccb-d5a8aba4909a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] broken link in your docs

['Ovidiu Pacuraru' via Graylog Users]

On this page: 
http://docs.graylog.org/en/2.0/pages/installation/manual_setup.html there 
is a broken link: 
http://docs.oracle.com/javase/8/docs/technotes/tools/solaris/keytool.html

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/37ba9731-846c-471a-9e5f-2d6e3e8c1b72%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Link to instructions on how to manually install the latest beta?

['Ovidiu Pacuraru' via Graylog Users]

Looks like simply enabling this is not enough, are there default keys and 
certificates or do I need my own? 

rest_enable_tls = true



Enabling that and 
web_enable_tls = true

kinda works, I am able to reach the web interface via https but cannot log 
in. Checking my console with chrome I see: 

Mixed Content: The page at 'https://edgar.ict-consult.co.za:9000/' was 
loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 
'http://edgar.ict-consult.co.za:12900/system/sessions'. This request has 
been blocked; the content must be served over HTTPS.


-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2cac8a5e-98bb-4bb8-ae7b-91e2d615894f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Link to instructions on how to manually install the latest beta?

['Ovidiu Pacuraru' via Graylog Users]

OK, I get it. This test machine is on a virtual machine on the internet 
publicly accessible. 

So what is the best practice? Edit server.conf and enable HTTPS everywhere? 
Would that suffice?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2332479b-24a2-4b22-9e01-102704c74c65%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: rsyslog logging

['Ovidiu Pacuraru' via Graylog Users]

Thanks. FYI this is where I got the other option from in case you'd like to 
correct it: 
http://docs.graylog.org/en/2.0/pages/getting_started/rsyslog.html 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/0211345c-c77b-4119-aa77-64af6c34da19%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] rsyslog logging

['Ovidiu Pacuraru' via Graylog Users]

I've found 2 different methods and was wondering which one is the suggested 
one:

a) *.* @127.0.0.1:5140 
b) *.* @127.0.0.1:5140;RSYSLOG_SyslogProtocol23Format

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/8c9edd10-5f75-49b1-81d9-b18b4044f777%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Link to instructions on how to manually install the latest beta?

['Ovidiu Pacuraru' via Graylog Users]

Thanks Jochen, here are some more questions:

a) why is it not respecting this setting though: web_listen_uri = 
http://edgar.ict-consult.co.za/ 
I tried: http://edgar.ict-consult.co.za/ - doesn't work and 
http://edgar.ict-consult.co.za:9000/ seems to work.

b) if I set it up like this does that pose a security risk? 

> rest_listen_uri = http://edgar.ict-consult.co.za:12900/

rest_transport_uri = http://edgar.ict-consult.co.za:12900/



-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/12dbc110-90a3-408f-921e-64f9a96a0b7c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Link to instructions on how to manually install the latest beta?

['Ovidiu Pacuraru' via Graylog Users]

Oh, I haven't thought about caching issues. Have reset the config and tried 
another browser and even emptied its cache before hand. 
=> http://pastebin.com/puPzwEN1 
Problem still persists as above.

Btw. I had downloaded your alpha5 appliance and converted the VMDK into a 
Proxmox compatible format and tested it successfully but with the release 
of your beta I decided that I prefer running this inside a LXC container 
and I also read that you advise not to use the appliance on a public server 
as it apparently exposes different ports to the internet which are not 
secured.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/eadf4f1d-6bdc-419c-8391-ee9463f030b3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Link to instructions on how to manually install the latest beta?

['Ovidiu Pacuraru' via Graylog Users]

No idea what happened but I'll reset the VM and start fresh. So on a fresh 
Debian 8 install: 

Partially followed these instructions too although they are for v 1.x 
=> 
https://www.digitalocean.com/community/tutorials/how-to-install-graylog-1-x-on-ubuntu-14-04
 
as the original instructions don't cover that 
much: 
http://docs.graylog.org/en/2.0/pages/installation/operating_system_packages.html
 

It seems to work but cannot log in via web, getting: 
*Server currently unavailable. We are experiencing problems connecting to 
the Graylog server running on http://127.0.0.1:12900//. Please verify that 
the server is healthy and working correctly.*
Which doesn't make sense to me as I cannot find any errors in the logs.

In addition to that I can't seem to move graylog web interface off port 
9000, I'd like it to run on port 80 so I tried: 
editing /etc/graylog/server/server.conf 
# Web interface listen URI
web_listen_uri = http://edgar.ict-consult.co.za/
web_listen_uri = http://edgar.ict-consult.co.za:80/
without result. Obviously I restarted the graylog-server yet the web 
interface seems to continue running on port 9000

Any ideas?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/8d20cea0-ccff-42fe-874a-f64d6b3ff6cc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Link to instructions on how to manually install the latest beta?

['Ovidiu Pacuraru' via Graylog Users]

Hi Jochen,

I had tried the last link you gave already but it seems it installs this 
version: *graylog-web-interface v1.3.4 (0d67a80)*

If you want to install Graylog yourself, you should go with the official OS 
> packages (DEB or RPM) which work on the most used Linux distributions: 
> http://docs.graylog.org/en/2.0/pages/installation/operating_system_packages.html
>  
> 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/4829eda8-f3d8-4f43-81ea-68c1d9140ddd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Link to instructions on how to manually install the latest beta?

['Ovidiu Pacuraru' via Graylog Users]

I'm slightly confused by all these manuals and docs, I played around with 
the virtual appliance of the alpha5 and would now like to install the beta 
in a fresh VM manually. Anyone got the right link for me?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/1d0a5eca-fa7d-4763-8a84-378ec79294bd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: [ANNOUNCE] Graylog v2.0-beta.1 has been released

['Ovidiu Pacuraru' via Graylog Users]

Can I upgrade from alpha 5 to beta 1 with these instructions 
=> 
http://docs.graylog.org/en/1.3/pages/installation/graylog_ctl.html#upgrade-graylog
 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/6ed28333-06a0-4c06-97ae-ba407e811851%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.